Tag Archives: TIA

The US government is obsessed about your phone calls, email, web surfing and a log of everywhere that you travel. The obsession has become so intense over the past few years, that they have had to recast the definition of data gathering. After all, warrantless wiretapping and domestic spying is illegal. And so once exposed, Uncle Sam now claims that massive public eavesdropping, archiving and data mining (including building cross-domain portfolios on every citizen) does not count as “spying” because a human analyst has not yet listened to a particular conversation. The way your government spins it, if they have not yet listened into private, domestic conversations, they can gather yottabytes of personal and businesses without any judicial oversight.

The increasing pace of Big Brother’s appetite for wads of personal data is–at the very least–alarming and more specifically, unlikely to result in anything more than a Police State. To learn about some of these events, check our recent articles on the topic of Uncle Sam’s proclivity for data gathering.

Whistle blower, William Binney, explains a secret NSA program to spy on U.S. citizens without warrants

I’m Not Doing Anything Illegal. Why Should I Care?

Here at AWildDuck, we frequently discuss privacy, government snooping, and projects that incorporate or draw upon warrantless interception. In just the USA, there are dozens of projects–past and present–with a specific mandate to violate the Foreign Intelligent Surveillance Act. How can the American government get away with it? In the past decade, as leaks began to surface, they tried to redefine the meaning of domestic surveillance to exclude sweeping acts of domestic surveillance. The Bush era interpretation of USSID 18 is so farcical, that it can be debunked by an elementary school pupil. As the ruse unraveled, the wholesale gathering of data on every citizen in America was ‘legitimized’ by coupling The Patriot Act with general amnesty for past acts warrantless wiretapping. Dick Cheney invoked the specter of 911 and the urgent need to protect Americans from terrorism as justification for creating a more thorough and sweeping police mechanism than any totalitarian regime in history.

The programs go by many names, each with a potential to upend a democracy: Stellar Wind, The Patriot Act, TIA, Carnivore, Echelon, Shamrock, ThinThread, Trailblazer, Turbulence, Swift, and MINARET. Other programs thwart the use of privacy tools by businesses and citizens, such as Clipper Chip, Key Escrow and the classification of any secure web browsing as a munition that must be licensed and cannot be exported. The list goes on and on…

A myriad of dangers arise when governments ‘of-the-people and by-the-people’ engage in domestic spying, even if the motive is noble. Off the bat, I can think of four:

Justifications are ethereal. They are based on transient goals and principles. Even if motives are common to all constituents at the time a project is rolled out, the scope of data archived or the access scenarios inevitably change as personal and administrations change.

Complex and costly programs are self-perpetuating by nature. After all, no one wants to waste billions of taxpayer dollars. Once deployed, a massive surveillance mechanism, it is very difficult to dismantle or thwart.

Perhaps most chilling, is the insipid and desensitizing effect of such programs. Once it becomes acceptable for a government to spy on its citizens, it is a surprisingly small step for neighbors, co-workers and your own children to become patriotic partners in surveillance and reporting. After all, if your government has the right to preemptively look for dirt on your movement, Internet surfing, phone calls, cash transactions and sexual dalliances, then your neighbor can take refuge in the positive light of assisting law enforcement as they transmit an observation about an unusual house guest or the magazines you subscribe to.

What’s New in Domestic Spying?

This is a landmark week for anyone who values privacy and who understands that domestic spying is not a necessary tool of homeland security. This week, we are learning that US surveillance of its citizens is skyrocketing and a court case is about to either validate or slap a metaphorical wrist. Either way, each event brings us ever closer to the world depicted in Person of Interest. For now, I am citing breaking news. We’ll flush out the details soon.

For access to a home or automobile, most people use a key. Access to accounts or transactions on the Internet usually requires a password. In the language of security specialists, these authentication schemes are referred to as using something that you have (a key) or something that you know (a password).

In some industries, a third method of identification is becoming more common: Using something that you are. This area of security and access is called ‘biometrics’. The word is derived from bio = body or biology and metrics = measurement.

The data center that houses computer servers for AWildDuck also houses valuable equipment and data for other organizations. When I visit to install a new router or tinker with my servers, I must first pass through a door that unlocks in the presence of my fob (a small radio-frequency ID tag on my key chain). But before I can get to the equipment cage that houses my servers, I must also identify myself by placing the palm of my hand on a scanner and speaking a code word into a microphone. I don’t know if my voice is identified as a biometric, but the use of a fob, a code word and a hand-scan demonstrates that the facility uses all three methods of identify me: Something that I have, something that I know and something that I am.

If you work with technology that is dangerous, secret, or that has investor involvement, then biometric identification or access seems reasonable. After all, something-that-you-are is harder to forge than something that you have. Because this technique is tied to part of your body, it also discourages the loaning of credentials to a spouse, friend, or blackmailer.

But up until now, biometric identification required the advance consent of the individuals identified. After all, before you can be admitted to a secure facility based on your hand print, you had to allow your hand to be scanned at some time in the past. This also suggests that you understood the legitimate goals of those needing your identification in the future.

Few Americans have been compelled to surrender their biometrics without advance consent. There are exceptions, of course. Rapists and individuals applying to live in the United States are routinely fingerprinted. Two very different demographics, and yet both are compelled to surrender a direct link to their genetic makeup. But until now, we have never seen a non-consenting and unsuspecting population subjected to wholesale cataloging of personal biometrics. Who wants all of this data? What could they do with it?

Here at AWildDuck, we have written about the dogged persistence of conservatives in the American government to seek a state of Total Information Awareness. But now, Uncle Sam is raising the stakes to a new low: The Dick Cheneys and Karl Roves aren’t satisfied with compiling and mining data from that which is online, such as phone books, Facebook data, company web sites, etc. They want access to as much personal and corporate data as they can get their hands on: Bank records, credit card receipts, tax returns, library borrowing records, personal email, entire phone conversations & fax images, and the GPS history logged by your mobile phone.

Perhaps even more creepy, is the recent authorization for the use of high altitude drones for domestic law enforcement. But wait! That development pales in comparison with a minor news bulletin today. The FBI has just funded a program of facial recognition. We’re not talking about identifying a repeat bank robber, a missing felon or an unauthorized entry across our borders. We are talking about scanning and parsing the entire population into a biometric fingerprint database. The project aims to cull and track facial images – and identify each one – from every Flickr account, every ATM machine, every 7-11…in fact, every single camera everywhere.

If you have a driver’s license, a Facebook account, or if you ever appeared in a college yearbook, it’s a certainty that you will soon surrender identifiable biometrics, just like a rapist or a registered alien. By 2014, we may arrive at 1984.

The one billion dollars set aside by the FBI for the facial recognition component of Project Über Awareness belies the truly invasive scope of body-cavity probing that the Yanks want to administer. The massively funded effort includes a data archival project buried within a Utah hill that is brain-seizing in size and scope. Forget about Tera, Peta and Exabytes. Think instead of Yotta, Zeta and Haliburtabytes.

Engadget is a popular web site that reviews and discusses high tech markets, media & gadgets. Below, they discuss the facial recognition component and its privacy implications. Just as with our past articles on this topic, Engadget begins with a still image from the ABC television series Person of Interest. The show depicts the same technology and it’s all encompassing power. Whomever controls it has the power to manipulate life. But unlike Mr. Finch, a fictional champion of stalked heroines, the Big Brother version is not compelled by a concern for individual safety and security. Instead, the US government is using the specter of terrorism and public safety to bring the entire world one giant leap closer to a police state.

Do we really want our government – any government – to know every detail about our daily lives? Does the goal of securing public safety mean that we must surrender our individual freedoms and privacy completely? Are individuals who don’t care about privacy absolutely certain that they will trust their governments for all time and under all circumstances? Do they expect that the data will never be breached or used for purposes that were not originally sanctioned or intended? Is anyone that naïve?

I originally wrote this in April 2011 as feedback to this article in PC World.
__________________________________________________________

The article linked above begins with these words:

Law enforcement organizations are making tens of thousands of requests for private electronic information from companies such as Sprint, Facebook and AOL.

Police and other agencies have “enthusiastically embraced” asking for e-mail, instant messages and mobile-phone location data.

PC Wiretapping with a court order is one thing. But this amounts to preemptive forensics. It reeks of unreasonable search…

Intercepting and reading private communica- tions has no ethical leg to stand on, especially when initiated by a police force. It suggests that personal email (or data written to a disk) should have less protection than private thought. Personal communications must be rendered off limits to interlopers. I say “rendered” rather than legislated, because technology exits to foil overzealous acts of law enforcement. In security consulting, I rarely help courts to glean information that the author believed to be private. Applying forensic skills in this way puts blood on the hands of good technicians. (Quite literally, it had better involve a murder or bomb threat). Instead, I am more likely to help individuals and organizations confound any attempt to reconstruct, trace or decode information, including content, history, ownership, origin, transfer (including asset transfer) or digital fingerprints.

I call this practice “Antiforensics”. More like-minded privacy advocates are heading in this direction. In almost every case that forensics is employed without consent of the creator or archivist (i.e. the person being investigated), the practice is unethical. I would never claim that the field lacks all legitimate purpose, but it is too often used by courts concerned with porn, drugs, your marriage, disputes between corporations, or the money in your mattress. At the drop of a hat, a forensic specialist will roll over and sing like a jay bird for any court in the land. Must we sell out? Where does basic privacy fit into the picture?

Cryptography and stenography not only belong in the hands of every human (Thank you, Philip Zimmerman), they should be inherent in every email, fax and phone conversation. They should be part of private communication and every save-to-disk. If “The Man” has a compelling reason to catch you with your pants down, he should have both a court order and a good gumshoe. One who resorts to conventional means at either end of the communication, rather than mining for data at a nexus in New Jersey (AT&T) or Virginia (NSA).

As a security specialist for almost 30 years, I have seen “forensics” destroy families, lives and laudable civil movements. The art of a 3rd party using forensics for the improvement of society is far less prevalent than forensic activities that interfere with personal or political freedoms.

The spirit of prophylactic and preemptive antiforensics is embodied at Fungible.net, a data recovery lab in New England.* Mouse over the red words “Forensics” and “Security”. The lab uses the most sophisticated forensic tools, but they won’t sell out to a court unless someone has targeted the president.

Are they I in the minority, practicing “anti-forensics” with zeal and passion? My concern for privacy (before and during an investigation) exceeds my allegiance to political jurisdiction.

Ellery Davies clarifies law and public policy. He is a privacy champion, antiforensics expert, columnist to tech publications and inventor or Blind Signaling and Response. Here at A Wild Duck, Ellery dabbles in economics and law.

* Fungible.net is a data recovery service. But they also host Ellery’s Wild Duck blog.